如何知道我的对等方正在使用的 OpenSSL 版本?

huangapple go评论67阅读模式
英文:

How to know the version of OpenSSL my peer is using?

问题

我有一个C应用程序。
我想根据我的接收方所使用的openssl版本来区分我的发送方。
一个使用openssl 1.0.2,另一个使用openssl 3.0.5。
有没有办法我可以知道我的对等方正在使用的openssl版本?

SSL结构中的client_version变量对于它们都提供相同的值。

从我的评论中添加这个。

所以,实际上,我的旧代码存在一些问题(这些问题我没有写出来)。它在执行SSL_shutdown之前执行SSL_free和SSL_CTX_free。现在,在较旧的OpenSSL 1.0.2版本中,这可以正常工作。但是,一旦我将我的应用程序迁移到3.0.5,我必须执行SSL_shutdown才能使通信正常工作。现在,由于我正在执行SSL_shutdown,我无法与使用1.0.2版本SSL的发送方进行通信。所以,我想知道发送方的SSL版本,然后为了使接收方能够与使用任何版本的SSL的发送方正常工作,执行SSL_shutdown。 "我不能修改我的旧代码。"

英文:

I have a C application.
I want to distinguish my senders based on the openssl version they are using from my recevier.
I have one with openssl 1.0.2 and the other with openssl 3.0.5.
Is there anyway I can get to know the version of the openssl my peer is using???

The client_version variable to SSL structure gives same value for both of them.

Adding this here from my comment.

So, actually My old code has some issues (which i didnt write). It does SSL_free and SSL_CTX_free before doing a SSL_shutdown. Now, this works fine in the older version of OpenSSL 1.0.2. But, Once i migrated my application to 3.0.5 I had to do SSL_shutdown for the communication to work properly. Now since I am doing SSL_shutdown i am unable to communicate with sender using 1.0.2 ssl. So, I want to know the version of ssl of sender and then do SSL_shutdown for my receiver to work properly with senders using any version of SSL. "I cant modify my old code."

答案1

得分: 3

我拥有发送方和接收方。我知道它们使用OpenSSL。我想要为我的应用的新版本实现向后兼容性,该版本将使用OpenSSL 3.0。

检测对等方TLS库的版本不是实现TLS层向后兼容性的方法。相反,您的服务器应该期望特定的TLS协议版本和支持的加密套件。

OpenSSL 1.0.2支持TLS 1.2,这也得到了OpenSSL 3.0的支持(它还支持TLS 1.3)。此外,在OpenSSL 1.0.2和OpenSSL 3.0之间支持的加密套件有很多重叠 - 可以查看这里 1.0.2这里 3.0。请注意,实际支持的加密套件和协议版本还取决于应用程序以及可能的配置,但如果您控制双方,应该可以实现匹配。

(来自评论)实际上,我的旧代码存在一些问题(我没有编写)。...所以,我想要知道发送方的SSL版本,然后对我的接收方执行SSL_shutdown,以便能够与使用任何SSL版本的发送方正常工作。

根据这一点,您的实际要求并不是获得TLS库的确切版本,而只是在TLS握手完成后区分使用OpenSSL 1.0.2的客户端和使用OpenSSL 3.0的客户端,而且只有在TLS握手完成后才需要。这个要求比实际检测TLS版本要简单得多:使用正确配置的OpenSSL 3.0客户端,您应该能够获取TLS 1.3,而使用OpenSSL 1.0.2只能获取TLS 1.2。可以通过调用SSL_get_version来获取已建立的TLS会话的TLS版本。

英文:

> I own both sender and receiver. I know they use OpenSSL. I want to implement a backward compatibilty for the new version of my application which will be using OpenSSL 3.0.

Detecting the versions of the peers TLS library is is not how backward compatibility for the TLS layer should be implemented. Instead your server should expect specific TLS protocol versions and ciphers supported.

OpenSSL 1.0.2 supports up to TLS 1.2 - which is also supported by OpenSSL 3.0 (which also supports TLS 1.3). Also there is lots of overlap in supported ciphers between OpenSSL 1.0.2 and OpenSSL 3.0 - see here for 1.0.2 and here for 3.0. Note that the actual supported ciphers and protocol versions also depend on the application and maybe its configuration, but if you control both a match should be possible.

> (From a comment) So, actually My old code has some issues (which i didnt write). ... So, I want to know the version of ssl of sender and then do SSL_shutdown for my receiver to work properly with senders using any version of SSL.

Based on this your actual requirement is not to get the exact version of the TLS library, but instead only to distinguish between a client using OpenSSL 1.0.2 and one using OpenSSL 3.0, and only after the TLS handshake is done. This requirement is much simpler than actually detecting the TLS version: With a properly configured OpenSSL 3.0 client you should be able to get TLS 1.3, while with OpenSSL 1.0.2 you can only get TLS 1.2. Getting the TLS version of an established TLS session can be done by calling SSL_get_version.

huangapple
  • 本文由 发表于 2023年4月10日 20:02:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/75976928.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定